Analysis
-
max time kernel
639s -
max time network
606s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
14-03-2024 10:30
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://r15stv.itch.io/chilledwindows#google_vignette
Resource
win10v2004-20240226-en
General
-
Target
https://r15stv.itch.io/chilledwindows#google_vignette
Malware Config
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1E8D.tmp\Cov29Cry.exe family_chaos -
Processes:
reg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 4424 bcdedit.exe 1076 bcdedit.exe -
Processes:
wbadmin.exepid process 4092 wbadmin.exe -
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
GuideLauncher.execmd.exeCov29Cry.exesvchost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation GuideLauncher.exe Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation Cov29Cry.exe Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation svchost.exe -
Drops startup file 3 IoCs
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\covid29-is-here.txt svchost.exe -
Executes dropped EXE 64 IoCs
Processes:
chilledwindows.exeGuideLauncher.exerundll86.exerundll86.exerundll86.exerundll86.exerundll86.exerundll86.exerundll86.exerundll86.exerundll86.exerundll86.exerundll86.exerundll86.exerundll86.exerundll86.exerundll86.exerundll86.exerundll86.exerundll86.exerundll86.exerundll86.exerundll86.exerundll86.exerundll86.exerundll86.exerundll86.exerundll86.exerundll86.exerundll86.exerundll86.exerundll86.exerundll86.exerundll86.exerundll86.exerundll86.exerundll86.exerundll86.exerundll86.exerundll86.exerundll86.exerundll86.exerundll86.exerundll86.exerundll86.exembr.exeCov29Cry.exerundll86.exesvchost.exerundll86.exeCov29LockScreen.exerundll86.exerundll86.exerundll86.exerundll86.exerundll86.exerundll86.exerundll86.exerundll86.exerundll86.exerundll86.exerundll86.exerundll86.exerundll86.exepid process 3992 chilledwindows.exe 3460 GuideLauncher.exe 3988 rundll86.exe 4580 rundll86.exe 1120 rundll86.exe 2028 rundll86.exe 2588 rundll86.exe 3980 rundll86.exe 740 rundll86.exe 4344 rundll86.exe 2436 rundll86.exe 4880 rundll86.exe 4192 rundll86.exe 1872 rundll86.exe 3608 rundll86.exe 1880 rundll86.exe 4584 rundll86.exe 1076 rundll86.exe 3604 rundll86.exe 1188 rundll86.exe 4964 rundll86.exe 1192 rundll86.exe 4640 rundll86.exe 392 rundll86.exe 5056 rundll86.exe 5116 rundll86.exe 4944 rundll86.exe 5836 rundll86.exe 3624 rundll86.exe 1420 rundll86.exe 808 rundll86.exe 1188 rundll86.exe 4392 rundll86.exe 432 rundll86.exe 4976 rundll86.exe 3896 rundll86.exe 5320 rundll86.exe 516 rundll86.exe 3040 rundll86.exe 392 rundll86.exe 3844 rundll86.exe 1596 rundll86.exe 4016 rundll86.exe 4692 rundll86.exe 5420 rundll86.exe 1072 mbr.exe 536 Cov29Cry.exe 1780 rundll86.exe 1636 svchost.exe 2404 rundll86.exe 4820 Cov29LockScreen.exe 3280 rundll86.exe 988 rundll86.exe 4504 rundll86.exe 1828 rundll86.exe 3336 rundll86.exe 3252 rundll86.exe 712 rundll86.exe 4992 rundll86.exe 5968 rundll86.exe 3540 rundll86.exe 1432 rundll86.exe 4044 rundll86.exe 2548 rundll86.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 34 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchost.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini svchost.exe File opened for modification C:\Users\Public\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini svchost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\desktop.ini svchost.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-275798769-4264537674-1142822080-1000\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchost.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
chilledwindows.exedescription ioc process File opened (read-only) \??\B: chilledwindows.exe File opened (read-only) \??\G: chilledwindows.exe File opened (read-only) \??\H: chilledwindows.exe File opened (read-only) \??\L: chilledwindows.exe File opened (read-only) \??\Z: chilledwindows.exe File opened (read-only) \??\M: chilledwindows.exe File opened (read-only) \??\N: chilledwindows.exe File opened (read-only) \??\Q: chilledwindows.exe File opened (read-only) \??\R: chilledwindows.exe File opened (read-only) \??\S: chilledwindows.exe File opened (read-only) \??\U: chilledwindows.exe File opened (read-only) \??\A: chilledwindows.exe File opened (read-only) \??\E: chilledwindows.exe File opened (read-only) \??\J: chilledwindows.exe File opened (read-only) \??\W: chilledwindows.exe File opened (read-only) \??\X: chilledwindows.exe File opened (read-only) \??\Y: chilledwindows.exe File opened (read-only) \??\I: chilledwindows.exe File opened (read-only) \??\K: chilledwindows.exe File opened (read-only) \??\O: chilledwindows.exe File opened (read-only) \??\P: chilledwindows.exe File opened (read-only) \??\T: chilledwindows.exe File opened (read-only) \??\V: chilledwindows.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
Processes:
flow ioc 378 raw.githubusercontent.com 379 camo.githubusercontent.com 380 camo.githubusercontent.com 383 raw.githubusercontent.com 384 raw.githubusercontent.com 377 camo.githubusercontent.com 382 camo.githubusercontent.com 385 camo.githubusercontent.com 386 raw.githubusercontent.com 388 raw.githubusercontent.com 412 camo.githubusercontent.com 381 camo.githubusercontent.com -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
mbr.exedescription ioc process File opened for modification \??\PhysicalDrive0 mbr.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7dg8uw1c8.jpg" svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 7 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exetaskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe -
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exetaskmgr.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe -
Delays execution with timeout.exe 64 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exepid process 3020 timeout.exe 5572 timeout.exe 5248 timeout.exe 1892 timeout.exe 4984 timeout.exe 4736 timeout.exe 3276 timeout.exe 3336 timeout.exe 2984 timeout.exe 688 timeout.exe 4684 timeout.exe 440 timeout.exe 4640 timeout.exe 2544 timeout.exe 4948 timeout.exe 2796 timeout.exe 4276 timeout.exe 2552 timeout.exe 1076 timeout.exe 4424 timeout.exe 5884 timeout.exe 5228 timeout.exe 4912 timeout.exe 1588 timeout.exe 4268 timeout.exe 4732 timeout.exe 5868 timeout.exe 5540 timeout.exe 4760 timeout.exe 3200 timeout.exe 5676 timeout.exe 5848 timeout.exe 5540 timeout.exe 5652 timeout.exe 5656 timeout.exe 4888 timeout.exe 1992 timeout.exe 1712 timeout.exe 1180 timeout.exe 4912 timeout.exe 2252 timeout.exe 1164 timeout.exe 208 timeout.exe 5956 timeout.exe 2744 timeout.exe 2716 timeout.exe 2404 timeout.exe 4900 timeout.exe 664 timeout.exe 2140 timeout.exe 2332 timeout.exe 4536 timeout.exe 4032 timeout.exe 5884 timeout.exe 4540 timeout.exe 1884 timeout.exe 5596 timeout.exe 4388 timeout.exe 5496 timeout.exe 4820 timeout.exe 724 timeout.exe 6132 timeout.exe 736 timeout.exe 3980 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1892 vssadmin.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 6056 taskkill.exe -
Modifies registry class 41 IoCs
Processes:
svchost.exeNOTEPAD.EXEchilledwindows.execmd.exefirefox.exeSearchApp.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings svchost.exe Set value (data) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0 NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 NOTEPAD.EXE Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-275798769-4264537674-1142822080-1000\{4535A5D0-75C5-4D65-B9F1-278EB098D1A0} chilledwindows.exe Set value (data) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\MRUListEx = 00000000ffffffff NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4 NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 NOTEPAD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic" NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ NOTEPAD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0 = 820074001c004346534616003100000000005a58a279120041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe5a58a2796e58e8532e00000087e10100000001000000000000000000000000000000764ab3004100700070004400610074006100000042000000 NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings firefox.exe Set value (data) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0 = 56003100000000006e5801551000526f616d696e6700400009000400efbe5a58a2796e5803552e00000088e101000000010000000000000000000000000000006fb0330052006f0061006d0069006e006700000016000000 NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0 NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\NodeSlot = "4" NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = 00000000ffffffff NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\MRUListEx = ffffffff NOTEPAD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\MuiCache SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 14001f44471a0359723fa74489c55595fe6b30ee0000 NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings NOTEPAD.EXE -
Modifies registry key 1 TTPs 7 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 4664 reg.exe 3572 reg.exe 4940 reg.exe 4420 reg.exe 5356 reg.exe 4848 reg.exe 1692 reg.exe -
NTFS ADS 3 IoCs
Processes:
msedge.exefirefox.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 777166.crdownload:SmartScreen msedge.exe File created C:\Users\Admin\Downloads\GuideLauncher.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\Covid29 Ransomware.zip:Zone.Identifier firefox.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
svchost.exepid process 1636 svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exetaskmgr.exepid process 3684 msedge.exe 3684 msedge.exe 1548 msedge.exe 1548 msedge.exe 3948 identity_helper.exe 3948 identity_helper.exe 6068 msedge.exe 6068 msedge.exe 5388 taskmgr.exe 5388 taskmgr.exe 5388 taskmgr.exe 5388 taskmgr.exe 5388 taskmgr.exe 5388 taskmgr.exe 5388 taskmgr.exe 5388 taskmgr.exe 5388 taskmgr.exe 5388 taskmgr.exe 5388 taskmgr.exe 5388 taskmgr.exe 5388 taskmgr.exe 5388 taskmgr.exe 5388 taskmgr.exe 5388 taskmgr.exe 5388 taskmgr.exe 5388 taskmgr.exe 5388 taskmgr.exe 5388 taskmgr.exe 5388 taskmgr.exe 5388 taskmgr.exe 5388 taskmgr.exe 5388 taskmgr.exe 5388 taskmgr.exe 5388 taskmgr.exe 5388 taskmgr.exe 5388 taskmgr.exe 5388 taskmgr.exe 5388 taskmgr.exe 5388 taskmgr.exe 5388 taskmgr.exe 5388 taskmgr.exe 5388 taskmgr.exe 5388 taskmgr.exe 5388 taskmgr.exe 5388 taskmgr.exe 5388 taskmgr.exe 5388 taskmgr.exe 5388 taskmgr.exe 5388 taskmgr.exe 5388 taskmgr.exe 5388 taskmgr.exe 5388 taskmgr.exe 5388 taskmgr.exe 5388 taskmgr.exe 5388 taskmgr.exe 5388 taskmgr.exe 5388 taskmgr.exe 5388 taskmgr.exe 5388 taskmgr.exe 5388 taskmgr.exe 5388 taskmgr.exe 5388 taskmgr.exe 5388 taskmgr.exe 5388 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 5388 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
Processes:
msedge.exepid process 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chilledwindows.exeAUDIODG.EXEfirefox.exetaskmgr.exe7zFM.exeshutdown.exeCov29Cry.exesvchost.exevssvc.exeWMIC.exedescription pid process Token: SeShutdownPrivilege 3992 chilledwindows.exe Token: SeCreatePagefilePrivilege 3992 chilledwindows.exe Token: 33 5476 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 5476 AUDIODG.EXE Token: SeShutdownPrivilege 3992 chilledwindows.exe Token: SeCreatePagefilePrivilege 3992 chilledwindows.exe Token: SeShutdownPrivilege 3992 chilledwindows.exe Token: SeCreatePagefilePrivilege 3992 chilledwindows.exe Token: SeDebugPrivilege 4552 firefox.exe Token: SeDebugPrivilege 4552 firefox.exe Token: SeDebugPrivilege 4552 firefox.exe Token: SeDebugPrivilege 4552 firefox.exe Token: SeDebugPrivilege 4552 firefox.exe Token: SeDebugPrivilege 4552 firefox.exe Token: SeDebugPrivilege 4552 firefox.exe Token: SeDebugPrivilege 5388 taskmgr.exe Token: SeSystemProfilePrivilege 5388 taskmgr.exe Token: SeCreateGlobalPrivilege 5388 taskmgr.exe Token: 33 5388 taskmgr.exe Token: SeIncBasePriorityPrivilege 5388 taskmgr.exe Token: SeRestorePrivilege 1076 7zFM.exe Token: 35 1076 7zFM.exe Token: SeShutdownPrivilege 5552 shutdown.exe Token: SeRemoteShutdownPrivilege 5552 shutdown.exe Token: SeDebugPrivilege 536 Cov29Cry.exe Token: SeDebugPrivilege 1636 svchost.exe Token: SeBackupPrivilege 3656 vssvc.exe Token: SeRestorePrivilege 3656 vssvc.exe Token: SeAuditPrivilege 3656 vssvc.exe Token: SeIncreaseQuotaPrivilege 2984 WMIC.exe Token: SeSecurityPrivilege 2984 WMIC.exe Token: SeTakeOwnershipPrivilege 2984 WMIC.exe Token: SeLoadDriverPrivilege 2984 WMIC.exe Token: SeSystemProfilePrivilege 2984 WMIC.exe Token: SeSystemtimePrivilege 2984 WMIC.exe Token: SeProfSingleProcessPrivilege 2984 WMIC.exe Token: SeIncBasePriorityPrivilege 2984 WMIC.exe Token: SeCreatePagefilePrivilege 2984 WMIC.exe Token: SeBackupPrivilege 2984 WMIC.exe Token: SeRestorePrivilege 2984 WMIC.exe Token: SeShutdownPrivilege 2984 WMIC.exe Token: SeDebugPrivilege 2984 WMIC.exe Token: SeSystemEnvironmentPrivilege 2984 WMIC.exe Token: SeRemoteShutdownPrivilege 2984 WMIC.exe Token: SeUndockPrivilege 2984 WMIC.exe Token: SeManageVolumePrivilege 2984 WMIC.exe Token: 33 2984 WMIC.exe Token: 34 2984 WMIC.exe Token: 35 2984 WMIC.exe Token: 36 2984 WMIC.exe Token: SeIncreaseQuotaPrivilege 2984 WMIC.exe Token: SeSecurityPrivilege 2984 WMIC.exe Token: SeTakeOwnershipPrivilege 2984 WMIC.exe Token: SeLoadDriverPrivilege 2984 WMIC.exe Token: SeSystemProfilePrivilege 2984 WMIC.exe Token: SeSystemtimePrivilege 2984 WMIC.exe Token: SeProfSingleProcessPrivilege 2984 WMIC.exe Token: SeIncBasePriorityPrivilege 2984 WMIC.exe Token: SeCreatePagefilePrivilege 2984 WMIC.exe Token: SeBackupPrivilege 2984 WMIC.exe Token: SeRestorePrivilege 2984 WMIC.exe Token: SeShutdownPrivilege 2984 WMIC.exe Token: SeDebugPrivilege 2984 WMIC.exe Token: SeSystemEnvironmentPrivilege 2984 WMIC.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exepid process 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
msedge.exepid process 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
firefox.exeCov29LockScreen.exeNOTEPAD.EXEpid process 4552 firefox.exe 4552 firefox.exe 4552 firefox.exe 4552 firefox.exe 4552 firefox.exe 4552 firefox.exe 4552 firefox.exe 4552 firefox.exe 4552 firefox.exe 4552 firefox.exe 4552 firefox.exe 4552 firefox.exe 4552 firefox.exe 4820 Cov29LockScreen.exe 4740 NOTEPAD.EXE 4740 NOTEPAD.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 1548 wrote to memory of 3360 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 3360 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 4000 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 4000 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 4000 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 4000 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 4000 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 4000 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 4000 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 4000 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 4000 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 4000 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 4000 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 4000 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 4000 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 4000 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 4000 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 4000 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 4000 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 4000 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 4000 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 4000 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 4000 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 4000 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 4000 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 4000 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 4000 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 4000 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 4000 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 4000 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 4000 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 4000 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 4000 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 4000 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 4000 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 4000 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 4000 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 4000 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 4000 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 4000 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 4000 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 4000 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 3684 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 3684 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 2516 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 2516 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 2516 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 2516 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 2516 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 2516 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 2516 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 2516 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 2516 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 2516 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 2516 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 2516 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 2516 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 2516 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 2516 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 2516 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 2516 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 2516 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 2516 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 2516 1548 msedge.exe msedge.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://r15stv.itch.io/chilledwindows#google_vignette1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd3ba746f8,0x7ffd3ba74708,0x7ffd3ba747182⤵PID:3360
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,69187352469718982,9043181406380633954,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:22⤵PID:4000
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,69187352469718982,9043181406380633954,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3684 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,69187352469718982,9043181406380633954,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3000 /prefetch:82⤵PID:2516
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,69187352469718982,9043181406380633954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:12⤵PID:4628
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,69187352469718982,9043181406380633954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:12⤵PID:3236
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,69187352469718982,9043181406380633954,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5520 /prefetch:82⤵PID:3036
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,69187352469718982,9043181406380633954,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5520 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3948 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,69187352469718982,9043181406380633954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4164 /prefetch:12⤵PID:5112
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,69187352469718982,9043181406380633954,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:12⤵PID:3480
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,69187352469718982,9043181406380633954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:12⤵PID:1972
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,69187352469718982,9043181406380633954,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:12⤵PID:3184
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,69187352469718982,9043181406380633954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:12⤵PID:5296
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,69187352469718982,9043181406380633954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:12⤵PID:5420
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,69187352469718982,9043181406380633954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:12⤵PID:5612
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,69187352469718982,9043181406380633954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:12⤵PID:5620
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2040,69187352469718982,9043181406380633954,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6124 /prefetch:82⤵PID:5880
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,69187352469718982,9043181406380633954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6300 /prefetch:12⤵PID:5888
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2040,69187352469718982,9043181406380633954,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6712 /prefetch:82⤵PID:6080
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2040,69187352469718982,9043181406380633954,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6940 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:6068
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4812
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4496
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5328
-
C:\Users\Admin\Downloads\chilledwindows.exe"C:\Users\Admin\Downloads\chilledwindows.exe"1⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3992
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2f8 0x43c1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5476
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵PID:4700
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4552 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.0.692983625\391872896" -parentBuildID 20221007134813 -prefsHandle 1872 -prefMapHandle 1612 -prefsLen 20671 -prefMapSize 233414 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e15fe68-4100-4af4-a02e-86391732eeb1} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 1964 1bf9d1ddf58 gpu3⤵PID:4732
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.1.1426504256\168971004" -parentBuildID 20221007134813 -prefsHandle 2352 -prefMapHandle 2348 -prefsLen 20707 -prefMapSize 233414 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4762d4b1-d310-47b6-a3c3-5704d9b21eea} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 2364 1bf9cd30558 socket3⤵
- Checks processor information in registry
PID:2612 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.2.1531906279\1032164725" -childID 1 -isForBrowser -prefsHandle 2948 -prefMapHandle 3060 -prefsLen 20810 -prefMapSize 233414 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a112940-34f4-4ccd-97de-bc08d0d694fd} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 3052 1bfa12a3658 tab3⤵PID:5592
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.3.450243310\857605415" -childID 2 -isForBrowser -prefsHandle 3568 -prefMapHandle 3564 -prefsLen 25988 -prefMapSize 233414 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c8bfc8b7-46dd-438a-8d05-a6635ea913a7} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 3580 1bf9fd1c758 tab3⤵PID:5172
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.4.500358184\125831423" -childID 3 -isForBrowser -prefsHandle 4036 -prefMapHandle 4032 -prefsLen 26047 -prefMapSize 233414 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f651086f-348b-423f-a58a-f5b31d2fac08} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 4048 1bfa22e7b58 tab3⤵PID:5928
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.5.1908591044\1055646886" -childID 4 -isForBrowser -prefsHandle 5148 -prefMapHandle 5144 -prefsLen 26047 -prefMapSize 233414 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6de3896a-4d8f-4f1d-95a0-f0d61079e4c2} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 5156 1bfa32cc858 tab3⤵PID:4532
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.6.479286168\2056470653" -childID 5 -isForBrowser -prefsHandle 5280 -prefMapHandle 5284 -prefsLen 26047 -prefMapSize 233414 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {43ab1385-1f74-4930-9311-944f50d79b28} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 5272 1bfa32ce658 tab3⤵PID:3064
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.7.1599438782\881728523" -childID 6 -isForBrowser -prefsHandle 5472 -prefMapHandle 5476 -prefsLen 26047 -prefMapSize 233414 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {31ddf510-3f9b-4964-8756-2abde79f009f} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 5556 1bfa32ce358 tab3⤵PID:2036
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.8.1986022347\1858214759" -childID 7 -isForBrowser -prefsHandle 5464 -prefMapHandle 5460 -prefsLen 26126 -prefMapSize 233414 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {861fe320-ede3-45a9-b4db-0142ecaec4a6} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 5892 1bfa4f0a258 tab3⤵PID:5552
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.9.1530892803\517018775" -childID 8 -isForBrowser -prefsHandle 5788 -prefMapHandle 5700 -prefsLen 26566 -prefMapSize 233414 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d59cba9e-17a6-49ed-9930-c7ea3bd86412} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 5684 1bfa0b99558 tab3⤵PID:4848
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.10.1942339683\1288345132" -childID 9 -isForBrowser -prefsHandle 4868 -prefMapHandle 1548 -prefsLen 26566 -prefMapSize 233414 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f1c5ec15-4cb4-4652-afda-20ff202168cb} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 6056 1bfa2d0a558 tab3⤵PID:3508
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.11.117803018\2065739475" -childID 10 -isForBrowser -prefsHandle 1548 -prefMapHandle 5580 -prefsLen 26566 -prefMapSize 233414 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c01d496b-9aa8-4be9-89ed-32465244f784} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 5660 1bfa418d058 tab3⤵PID:1652
-
C:\Users\Admin\Downloads\GuideLauncher.exe"C:\Users\Admin\Downloads\GuideLauncher.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
PID:3460 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D32B.tmp\D32C.tmp\D32D.bat C:\Users\Admin\Downloads\GuideLauncher.exe"4⤵PID:868
-
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:1164 -
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵
- Executes dropped EXE
PID:3988 -
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:5540 -
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵
- Executes dropped EXE
PID:4580 -
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:6132 -
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵
- Executes dropped EXE
PID:1120 -
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:2552 -
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:1884 -
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:736 -
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵
- Executes dropped EXE
PID:3980 -
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:5596 -
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵
- Executes dropped EXE
PID:740 -
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:1180 -
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵
- Executes dropped EXE
PID:4344 -
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:2744 -
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:1076 -
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵
- Executes dropped EXE
PID:4880 -
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:440 -
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵
- Executes dropped EXE
PID:4192 -
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:2716 -
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:4912 -
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵
- Executes dropped EXE
PID:3608 -
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:5652 -
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:5656 -
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵
- Executes dropped EXE
PID:4584 -
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:3980 -
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵
- Executes dropped EXE
PID:1076 -
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:3336 -
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵
- Executes dropped EXE
PID:3604 -
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:1892 -
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵
- Executes dropped EXE
PID:1188 -
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:4388 -
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵
- Executes dropped EXE
PID:4964 -
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:3020 -
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:2404 -
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵
- Executes dropped EXE
PID:4640 -
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:208 -
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵
- Executes dropped EXE
PID:392 -
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:5496 -
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵
- Executes dropped EXE
PID:5056 -
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:4424 -
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵
- Executes dropped EXE
PID:5116 -
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:4888 -
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵
- Executes dropped EXE
PID:4944 -
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:1992 -
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵
- Executes dropped EXE
PID:5836 -
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:1588 -
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵
- Executes dropped EXE
PID:3624 -
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:1712 -
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵
- Executes dropped EXE
PID:1420 -
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:4640 -
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵
- Executes dropped EXE
PID:808 -
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:4268 -
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵
- Executes dropped EXE
PID:1188 -
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵PID:5152
-
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵
- Executes dropped EXE
PID:4392 -
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:5848 -
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵
- Executes dropped EXE
PID:432 -
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:4912 -
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵
- Executes dropped EXE
PID:4976 -
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵PID:736
-
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵
- Executes dropped EXE
PID:3896 -
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:664 -
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵
- Executes dropped EXE
PID:5320 -
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:2544 -
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵
- Executes dropped EXE
PID:516 -
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:4032 -
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:4760 -
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵
- Executes dropped EXE
PID:392 -
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:3200 -
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵
- Executes dropped EXE
PID:3844 -
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵PID:4584
-
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:2140 -
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵
- Executes dropped EXE
PID:4016 -
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:4820 -
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵
- Executes dropped EXE
PID:4692 -
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:4948 -
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵
- Executes dropped EXE
PID:5420 -
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:5884 -
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:4984 -
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:4540 -
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵
- Executes dropped EXE
PID:3280 -
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:5676 -
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵
- Executes dropped EXE
PID:988 -
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:724 -
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵
- Executes dropped EXE
PID:4504 -
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵PID:452
-
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:5884 -
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵
- Executes dropped EXE
PID:3336 -
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:4732 -
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵
- Executes dropped EXE
PID:3252 -
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:5572 -
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵
- Executes dropped EXE
PID:712 -
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:2796 -
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵
- Executes dropped EXE
PID:4992 -
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:2984 -
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵
- Executes dropped EXE
PID:5968 -
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:688 -
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵
- Executes dropped EXE
PID:3540 -
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:4736 -
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:5248 -
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵
- Executes dropped EXE
PID:4044 -
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:4684 -
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:2332 -
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵PID:5660
-
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:4536 -
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵PID:6012
-
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:5868 -
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵PID:4672
-
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:4900 -
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵PID:2764
-
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:4276 -
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵PID:4220
-
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:5956 -
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵PID:4936
-
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:2252 -
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵PID:4776
-
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:5228 -
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵PID:5392
-
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:5540 -
C:\Users\Admin\AppData\Local\Temp\D32B.tmp\rundll86.exerundll86.exe5⤵PID:5936
-
C:\Windows\system32\timeout.exetimeout 5 /nobreak5⤵
- Delays execution with timeout.exe
PID:3276
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:5388
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\UnblockPublish.7z"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1076
-
C:\Users\Admin\Downloads\Covid29 Ransomware\TrojanRansomCovid29.exe"C:\Users\Admin\Downloads\Covid29 Ransomware\TrojanRansomCovid29.exe"1⤵PID:1624
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1E8D.tmp\TrojanRansomCovid29.bat" "2⤵
- Checks computer location settings
- Modifies registry class
PID:4956 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1E8D.tmp\fakeerror.vbs"3⤵PID:2112
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 23⤵
- Runs ping.exe
PID:5456 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
PID:4848 -
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
PID:1692 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
PID:4664 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
PID:3572 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
PID:4940 -
C:\Windows\SysWOW64\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- Modifies registry key
PID:4420 -
C:\Windows\SysWOW64\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- Modifies registry key
PID:5356 -
C:\Users\Admin\AppData\Local\Temp\1E8D.tmp\mbr.exembr.exe3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:1072 -
C:\Users\Admin\AppData\Local\Temp\1E8D.tmp\Cov29Cry.exeCov29Cry.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:536 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:1636 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete5⤵PID:5540
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet6⤵
- Interacts with shadow copies
PID:1892 -
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2984 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no5⤵PID:2624
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures6⤵
- Modifies boot configuration data using bcdedit
PID:4424 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no6⤵
- Modifies boot configuration data using bcdedit
PID:1076 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet5⤵PID:3772
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet6⤵
- Deletes backup catalog
PID:4092 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\covid29-is-here.txt5⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4740 -
C:\Windows\SysWOW64\shutdown.exeshutdown /r /t 300 /c "5 minutes to pay until you lose your data and system forever"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5552 -
C:\Windows\SysWOW64\PING.EXEping localhost -n 93⤵
- Runs ping.exe
PID:3652 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- Kills process with taskkill
PID:6056 -
C:\Users\Admin\AppData\Local\Temp\1E8D.tmp\Cov29LockScreen.exeCov29LockScreen.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4820
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3656
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵PID:2188
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:3236
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:4784
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies registry class
PID:6084
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
3File Deletion
3Modify Registry
3Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD58e0e721356bd94930721ca2bcaa602b7
SHA129d8514c2060739df67e0ba608dbe75490766278
SHA256ba2e2eec98ba47a5cc092c1ff06274e3aaefae23a29380124aab05f4de29f8c9
SHA5128a0109ee619b09238d82076b75c55c4567d856620598470ab8b76a575547e2af0a7f63e87e3ad2b70f657ba5c2fafaf65b34971c9bd7e418b22ef902008a6ee8
-
Filesize
152B
MD5f35bb0615bb9816f562b83304e456294
SHA11049e2bd3e1bbb4cea572467d7c4a96648659cb4
SHA25605e80abd624454e5b860a08f40ddf33d672c3fed319aac180b7de5754bc07b71
SHA512db9100f3e324e74a9c58c7d9f50c25eaa4c6c4553c93bab9b80c6f7bef777db04111ebcd679f94015203b240fe9f4f371cae0d4290ec891a4173c746ff4b11c1
-
Filesize
152B
MD51eb86108cb8f5a956fdf48efbd5d06fe
SHA17b2b299f753798e4891df2d9cbf30f94b39ef924
SHA2561b53367e0041d54af89e7dd59733231f5da1393c551ed2b943c89166c0baca40
SHA512e2a661437688a4a01a6eb3b2bd7979ecf96b806f5a487d39354a7f0d44cb693a3b1c2cf6b1247b04e4106cc816105e982569572042bdddb3cd5bec23b4fce29d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize168B
MD5edba2f3b690727752e1d41b4f84db24c
SHA1d4765ecd32e519bcd0190cab72a210be5ce88f67
SHA25653b4971becf2fd838be1535041cd4dba5b32b15f22f44e48320994db21c71053
SHA512e823b8fb02715d0115c4df654bb37cd43738f67a63946f6cc5748c7412ec8095255940773aee2697395e46383adf9dda12cefaad67122e9bbf7dad8f5b2442f8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize552B
MD5a726e8001461b0b14e9c1b4fdd0b2868
SHA1746c52c46225f93afd1bd0620f6f0e58db28643e
SHA256cc8ad756e58be6744955ec392bb64fa679be0eb327531bf42ad1797e63c23e54
SHA5123f130eb6bd11d6387f28a1ba5318bc4691f664855fcb12e26e6e96856e9388b54a85eef08a6e0e3a716d3b9ec53456e9605a1ef336a8065219c2650305be6271
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
2KB
MD510df12d689298456d69938209837f607
SHA1826afcca30f1a53233dd00e5a03b5dd951b99875
SHA256ef0829c2033683acd7ab1d929f1a9af765eead6be9613a51cda1af2c49e2129a
SHA512bc60e9f86d09b9fc7eabec359af67c44e54039439f6726ecac4ef7e51a2783f0afcea9b9bb34e079d20c452ead7d69d5bb431b4e5d7fd266d4d23c4ce53c89d2
-
Filesize
6KB
MD5148d2ebea122cb95c0aa26b8676a995c
SHA18b68d2087228fe8b51bf9d7dc9e30ff624abb00b
SHA256708b3c3755d90028e2be651828a196f8a474edf346699379631e5a71a0e7e24f
SHA512d25a864017480978387d3142388717164e856a29f23313a45804344a653c52a67c9ba8d2ab751c85e9e2f0769fc2c52c3388a93469dd3f43ebaa03a5817f062f
-
Filesize
6KB
MD521917303171d979aa47fcfed239e9cdd
SHA1a2c7c3e19bd78da50a8edba28cf8d3d87c176033
SHA25694d1b5e030160775b85ebf16bc3b8c08db992ad9ef89cdc5c9e20a17e45c6c5a
SHA512f3f517c4af1bf5d2ed51e0e7bbe4d7844fcc21adcbc275dbf218dc3714ddcd52cd731211e7f343a19cc0373e9665bdd604c1513425eff6be169de735d3903120
-
Filesize
7KB
MD506d9f65d9ed0aa4cfeb50c9fd89f6541
SHA19574f503ac3bff0622b38cc70eb34aa7e94b2f72
SHA25614c53be18b0c52a162f07fd4a6902e9f0ab5a55f5f7a29a2db5f8d2c4ab1bee1
SHA5122e925721730e7d506de20808b76a39f712fef694dfacf01a64764ded057de81253843a05e18d9a034b450ed60651eb97eeaf1f4e47c80666892e6c99ea1bc88a
-
Filesize
7KB
MD57f9b5773eef5ae6e447a36e741cac137
SHA1e1fb2f7eef883ce11bec548ddad38e638137f019
SHA256790759cd6bfe213227d1566a6262a1707c5a95b851d73e8355ff478cb885e9f8
SHA512d96c9edf24254a1d1a3031d469e4d0c5d90caaa9aafc9f4812d230f083b1c250a9a4a6926f385a4f145e99068560d5cc838a6382ab7b87fc3dee506b4f57a87c
-
Filesize
7KB
MD5cfb6b4ffe55d544b38675c9b8900b096
SHA1a90727733c8e9b3ec374ee000a581c5c29244ce6
SHA256b59512d22a720329cc4775517eedafcf89a4dbbb366d4bc11f3748f386878b2d
SHA51230255850bcf2b0560e42584353a790ea291f3c7984ebc77791bcdf316bcbde19df8a6b694405a6eb7a27f8fdca88cfa659f023eaba1dbf19b1c95530b0bd55a0
-
Filesize
371B
MD526106ac7c22170c3a3b26da2e8a8d1ff
SHA1821632c6e177b8947cc107920176278b4838fc40
SHA2566f5786732d449ce8d422eca75b303a8215a2f88246da1f5c0e5571811d3c77b4
SHA5123bf45fe7408319404ca5fe5fd8cd11de48017529c4f63c13932681caa238534dacb3dbf51ba6662ecad7c18cb651bc9eb30dceadbf86e0cd90bef085769d081c
-
Filesize
203B
MD5ab229dc69dde844aed2482c1cea496cb
SHA14f15a54b56d116f3de1c0e52ebc20197ed58d12e
SHA25601f53acd2f2baac510994b9604d4a070a7fce1707b7a4246871fcb82ce4fc56f
SHA5123e384a450dbc2ef29c9d26e7eb0b83bfdedd92afe37aea98fc08e99e216752883823c683a85d434d84b391ad395d821bd9cc509da2fd00d4fd8f41f756b59e25
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD565641e24677b5bc339a0c97ce7fff844
SHA1e390af26bb1e62426c663ae704a8e7a037c7b804
SHA25694a5a4f9d3364f4a9b2659c548157a3166e0839c23a822d1c17ef25fab0612d2
SHA512758f904953e38296a79b5233af906147df412780cd4a04302993b695601f2b6749fde350781bfc3587538388ba3746a70601a9c4b2ba9b607f456ce91da21f6d
-
Filesize
576KB
MD57ef6a69be7cc187e88c5f4c12a7012db
SHA1feaeed0bf3b3daa62806ed0ee165bb2db4019afe
SHA256e085e9d51059f6c0b2454271365e41a9bddd93278814183102b377cc5de2465a
SHA51263600409b7f91109439f130cbabe1cb7e7dc57e57d5bdc07caf63017a6c517b4a55406825170d0b3c2c3972975afa88d3a9f5ba8f7969b6a1b96a8326f2fa4ef
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
16KB
MD59511d22d4c2dd40dc1de7e1a956bb679
SHA13b5e419aa00639843425175aed43adeb511d1738
SHA2567684aab5ef6ebe347f84fe7c6e3eb1a50ce0aab943c23eee30eef206b73fb7f6
SHA512d49468d62b03bba06b264647173db24e545f2e7637291ddc4c2152ec9071135b39f2dfe3bc7c12c4a7558c23903200d9e9738c8e869de3547a7dd159c6b81ca8
-
Filesize
16KB
MD5afceb4480321fc8b0caf757b60e098b2
SHA18ed583d5c64027aa24f51b87ba9c9f5382234600
SHA256b9f1a968a70af2bef9c848cc2afa4c359a65009b28646289e7275fdda8bbc3da
SHA51249b7ad940c8ebef22c1d8fa1ee61b2fc38211d82d8c07a8525a9614e7bedfc64a16fb3847f08382058aaa17ddde39c86e7563f689e6eb6bb8186245ab49a3c49
-
Filesize
9KB
MD5800e43780f92dd63f220dce61d070d03
SHA115f6b5eea195bd95ad0535c11695a9ce55665777
SHA2568b8b186bf1804ca1e886ddddef3b08e5d6246af67423cb1b14d7fc800eb4d1e3
SHA512865de04cbbf081c423ff1c74cab0010fdf1c3cfa6c772450330fe7cf140d9580c55da05539081e21a1490293e37cd683b353a1d19f10ae7b090026c552d92ec3
-
Filesize
16KB
MD5be4f0f14535c095aa3ffe4e721e0a9ed
SHA15de2e9cc2cfeb980fc6e04444100a1a6f27d0a44
SHA2565a511c1607d2bd40971058c7e830fa9970e36a44700c5b01ef1e0520f148793b
SHA5122f912a220c6eb60083c3e0cb11c6497f373dc7ddafab42d2d11d857251a3404b141b8893eedfe3b7e7a389446dc1267806bb634f291535b8827434f8fd7851de
-
Filesize
16KB
MD5064d7575272ed31b02ba30e79de7c073
SHA1815174bd07a598fc7fbe32e707a98aae574b5a1a
SHA2569dfd2a6e80939615e66a71ce363b616582885072061187fee135b8f934a70673
SHA5123726af935ffd98b0c4aa5973b9768c06145615e4a90312050f3382c10aa81e288d74610c2db877d3223491f112be6300efabcc9954702d6849a6dfcd7d31b7f8
-
Filesize
16KB
MD5761521673ebc17f3c093211078f549ea
SHA13fc087241ad7aef17b87e50392c3323eb255786d
SHA2568cfc5d55df2ee59718144165fd915d925c1e24ac4a913bfb24d1474f09ea7356
SHA51206177d56e2d9df894e30d9744495904bf5786adcac1547284b579f007c32cefbee37da0b42ccc169d35d039e0f445a18877765bb72468e3f7c14a5dbbe41f24a
-
Filesize
15KB
MD5b6f04bca03911282f40cc0059b8cc4ba
SHA18972243a8589537ad4835d7d12a81a3b186207ae
SHA256034abc0c361e45befe9da40d53af42b6ec05f3584f94b76c8c3e591345c55e27
SHA5129b82517a2b6e6278a47af9243068ae124f94643c8e27ced2369f317d9029a02a5896fbf9dce74a54cf3974c69a3b55d98318058c723991a57b295576f3ed21f5
-
Filesize
16KB
MD5b752f284721aeb67b46c1a26bccddc93
SHA1fb7726d7ec9ae09746ec05fe1a071de3411f4529
SHA256f9edc249675b244ae01ed80f6fda459ddd9e26ed0fe346a13180af7bc0cf12b0
SHA512cf1671e5948a64a8214ce3e7baef78643d914940522f3cba3f06e71cd8b8b86b4f86dad2e718b83e03e60f26de1c72dd19f48903f1b58e493386551a153a1051
-
Filesize
10KB
MD540082a89c8b4dc975fcac27f9eddc6a3
SHA16698214def6093056f9554324babf751471b426b
SHA2568a58733ade26ca2ddafa45e11b9f472816a83e7d780f72be79e533483c7b163d
SHA5120f2da42a0d6394596290b92b2eada0e53c35db725a1d16c5f0787a426cb93dd5c61211fcca5ed02067b2379b00d04edb9f117b3b6eb9a93a749f2f84f7bfb7c3
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\on1px6pk.default-release\cache2\entries\0DE9FB5C7CA5471CF31BA52F40296DC937FAB323
Filesize33KB
MD504dd616ca786fd38ef60e7228144ef25
SHA1016a85023aba3960b060216ba95d9f91234ba7d1
SHA2561c6e394cee203e866e3533b077f676c5434fec53ce7afa06dab27eac00ab4172
SHA51271376d7d411e384eda2c6188adea28820411cde247bfc536424a6d4883c3dae62bc64455e56ce32adf786c9bcca44073903de214af6ef152b4b5f7c808db334c
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\on1px6pk.default-release\cache2\entries\175FC1F27DF5030D57F8D0FF3A5E0CD7039CB332
Filesize35KB
MD577a341602fca38014ae816ada02a00b4
SHA1d2b6de7c0d479f15f98f283d10910f6357f9577f
SHA256be3d90a20bd32a11e836f949280012440bda0ac741f4669c58e479875c11ebef
SHA512011ac2231e414ca346ba105d4dd79746ade96cbdff3e643d75a034181141014512f265fed432fc9d50da776beb0b7e9322a7e36f509e75edbe35e287f27cb3f0
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\on1px6pk.default-release\cache2\entries\37726912E3A0ECD0EF3A8E8B963AC6B4786CB098
Filesize950KB
MD5e781330c1a3778d681d44f23685a7a9f
SHA10c476012ea6276b0da3d4db9320f940acc6c516e
SHA256ec5732cbf23ac176d3c3c96f368a8d1f1d67c46e9d5d11a67d25f2aac2dd39e8
SHA51227a11d681314e40b5a043461b616ec032a15077b5b3a30085bef2353d6233157e1c104f0c5f7733fdf29797c2bfac06ec68658ec919e4600e18263fd98b3df22
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\on1px6pk.default-release\cache2\entries\59A9CDD14397474EF7EE68BEB9E75A8A2823BA07
Filesize112KB
MD5607555cf554dd9788adbb6143e74ab00
SHA109f91ba741f8950c0292d92e2d552ba3a89ba76c
SHA2568e418752a342a73c783b69741981097c36d9fcb22024b6113e9cb0f91b42c590
SHA512b34ff2e099e76c718525e6af7e4a395fae56f71ac39914c54b0c9f8d2a4a2a0777342b6a0d72ef282d2912ca4d57fac540aef77089566c45ce8a390c012afc9d
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\on1px6pk.default-release\cache2\entries\634E16DC7AF73196290DC0EEA7EC63EF6B95A520
Filesize40KB
MD5a00453f62af17933d082202caa9de5bd
SHA131bc75c3614a180fdf0e8d93853cc8b7878f6a63
SHA2563129b9fc84c4b0135fbf6d1e1412f7bbf97c4d46afe029456e3310edbd9e7909
SHA5128c3cc60e682a15a153b67fb862514e238fe64eef6bd5dfd8134e4efb3ddc94ae474d412bfbb3e0904c928fdb8994d0d949ad58659696452fba35952baac7ddfe
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\on1px6pk.default-release\cache2\entries\7BEC118E9178654B061CCB804B21F0586EB281AD
Filesize69KB
MD5c040dba12ab6542d9a2927c4d475db95
SHA10b32438e52f8e8697958b0119f03b3e591c4943c
SHA256ce442affae8dbb38065edaac89d497139b56ae0a961f67149bfd3c586fab1b47
SHA51204538606578a147c9506148ba9c8b1972360d9110bfd0aaf5766dd8f6886cc90a421a04d9b30d1ca2316fbcfe3862971721853fb9a9ae51588ea98be7e388f64
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\on1px6pk.default-release\cache2\entries\83034475DCD175EA116CE1FF243C16C26D56582D
Filesize71KB
MD5787f8da94053e98e9c151084b355e7fd
SHA13db84dba0a3614128eb0ac89ce6c31db93228741
SHA256bead55dc476f3e88a7036f0afb907cdcfff607e241fa631f5b70e19047e3c392
SHA512823159cbe7026c88f466b7d08c5f37c0bad74b2a2156a22f0c35a450fa1b96c1254ff1351a63fdecd5779ca5bbb72ea3a542da1959c218cab82132584437ba71
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\on1px6pk.default-release\cache2\entries\9C2BBC7137762B4CA02A130A09A82F71C29112CE
Filesize327KB
MD53d1d5dc1a785ae2356141315c0a5f4d3
SHA184526785c003c9fe2641be7d033b6cbc3c40e465
SHA25603573a3a89f4f2a7ec5427daa9a40a5f39d023f307340277c2c4b057fa14042b
SHA51218d56f931d649a5ad7651a8039f9599d14f05d81bb22aa48938c1d10888386a57ed695ac4caf0560a24acc69e947c28722492a2713f8ddfc08db6726ef7e373d
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\on1px6pk.default-release\cache2\entries\E538109CC067456137B6A021704D566DDE0968FE
Filesize55KB
MD5291343bd4dd3ddc398336c1158532705
SHA1d4c7495f5368eb4d5a5704eeff00c7faf1c00f34
SHA256328063637950030a39037627c4e3eedcd108ba9aeda54dcb306a5e8534f4eb52
SHA512189f845952e2e9b317d55346f13602299706c18511e8dca151cde680c1ad011e554e85bebc9b6058368a044b219f4bc2a0a3ff4ecf692f7d0d27cc6501241b65
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\on1px6pk.default-release\jumpListCache\dVZRJOeUljGak_ZespfN_Q==.ico
Filesize691B
MD542ed60b3ba4df36716ca7633794b1735
SHA1c33aa40eed3608369e964e22c935d640e38aa768
SHA2566574e6e55f56eca704a090bf08d0d4175a93a5353ea08f8722f7c985a39a52c8
SHA5124247460a97a43ce20d536fdd11d534b450b075c3c28cd69fc00c48bdf7de1507edb99bef811d4c61bed10f64e4c788ee4bdc58c7c72d3bd160b9b4bd696e3013
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\on1px6pk.default-release\jumpListCache\ie9wT+n82d7FM2kSLXJ5IQ==.ico
Filesize25KB
MD56b120367fa9e50d6f91f30601ee58bb3
SHA19a32726e2496f78ef54f91954836b31b9a0faa50
SHA25692c62d192e956e966fd01a0c1f721d241b9b6f256b308a2be06187a7b925f9e0
SHA512c8d55a2c10a2ef484dedded911b8f3c2f5ecb996be6f6f425c5bd4b4f53eb620a2baccd48bac1915a81da9a792971d95ff36c3f216075d93e5fd7a462ecd784f
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133548865096467941.txt
Filesize79KB
MD56a69acc2a34dd47b3a05396594d2f2f6
SHA1d5e110101a48b94311cecd8a29d0e1722a566325
SHA256a28b01a89658704dd1c7af071ee6ea3b6a9209389d4b3cd3f1171628d2c555cf
SHA512433608f5465fcc46eb35b7285988b093a5411cb5e7b9077dc7f60e131413b808982e2acb3e4d18bbca6be5b9f0c8a76ceb49a8132885a085d7952830b728a8fc
-
Filesize
103KB
MD58bcd083e16af6c15e14520d5a0bd7e6a
SHA1c4d2f35d1fdb295db887f31bbc9237ac9263d782
SHA256b4f78ff66dc3f5f8ddd694166e6b596d533830792f9b5f1634d3f5f17d6a884a
SHA51235999577be0626b50eeab65b493d48af2ab42b699f7241d2780647bf7d72069216d99f5f708337a109e79b9c9229613b8341f44c6d96245fd1f3ac9f05814d6a
-
Filesize
1.3MB
MD535af6068d91ba1cc6ce21b461f242f94
SHA1cb054789ff03aa1617a6f5741ad53e4598184ffa
SHA2569ac99df89c676a55b48de00384506f4c232c75956b1e465f7fe437266002655e
SHA512136e3066c6e44af30691bcd76d9af304af0edf69f350211cf74d6713c4c952817a551757194b71c3b49ac3f87a6f0aa88fb80eb1e770d0f0dd82b29bfce80169
-
Filesize
72B
MD568b7b411b72e9dd415d3166e15afde77
SHA1adce44aeba7c9793ed1d82c90c1659d9cca49ad5
SHA25681dfa0d23106ef51fac23da58be3696cf84e0be15e3e6c22e0410741091ce892
SHA51203e5071d96ca4e02c7209a19f053bb55d54ddaaa23198f888280761dc413a179dfb90908f1eb6db715f0e7a5479675f6a606f540e0fd93e0b19e1c4f7ee62cc5
-
Filesize
474KB
MD5914634831f03b7756db3cb09add84965
SHA10a7d3282f61c5b997f54ba2e9bab931962e8326f
SHA256c65a6207582850522a078537a6adbd9fcc6fdd4fcf5ae1cb9b9bba1652fcf494
SHA51214a64a030c78c3d76bb9bc4da1c215ae69813c03d7fe9a54faeb7777a790392ac29a31f36c1f3e47a034cbfaa6849a354e8eee7f88db3a1129fbf29bd03d88d0
-
Filesize
1.7MB
MD5272d3e458250acd2ea839eb24b427ce5
SHA1fae7194da5c969f2d8220ed9250aa1de7bf56609
SHA256bbb5c6b4f85c81a323d11d34629776e99ca40e983c5ce0d0a3d540addb1c2fe3
SHA512d05bb280775515b6eedf717f88d63ed11edbaae01321ec593ecc0725b348e9a0caacf7ebcd2c25a6e0dc79b2cdae127df5aa380b48480332a6f5cd2b32d4e55c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize16KB
MD51ee0c8e116153567ff12bbb8fb25c3ff
SHA1be23da6357d35397329c653a7f6368da9a21d9a7
SHA2560ec9d2c5bba0f61118df01ee0f1511287c27fedfc9783a8894c19c25b63cb290
SHA512211c57b4500a55d5b9dda6689c6ac09caf90ba67b505dd723cbd780a379c7648fe4debd80e8d93ee6e9650b531c206c1ba6a24b9ff2684ea7a4d9db76242387e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize21KB
MD58d178554e4a4bdda6cb0aec7d44e909c
SHA11e66e0748225ae4a03a71cecc17a2218730e6c13
SHA256341b8413019de5ddc9fd28248a57654ed9f24c80e7c38d167f4095286048d4b0
SHA5121d45c5ecae9038622f54be4a3cc224ec980e3b97b61ec1d7dbb48427713e39265b316b0311fcfa5aa997b3607103c7b0de6236219649745b873fdfc6673646ae
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD55e85d567c1f9598ea34335d60a79f144
SHA1822c71577856cb12b22194cf5c4de6bed2f51c1b
SHA25619349dbb2e5dd9ed611a974ecd8ff2a562e0e6503963d817be9efa72354ab085
SHA5123f72fbd91865908fffa8e446bfb69b5dfe26dc150552cacf84a93ba3519699120e92b6622fa6e132fb4437a79839ffc34849e32c7094deb5e25f03aea3e95efa
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\datareporting\glean\pending_pings\863b2436-fc54-49b7-ac8e-df29adb02589
Filesize10KB
MD5b9be8ce688001c4a3fdbd196c2361952
SHA154b8c5461cb4d6624a815b83c87b0df8a0513acd
SHA25697619877189a82d4957e9506c321c9a48439a3b61b1b612a0463dde7f0b19de3
SHA51213ab09860ca0e187c0788bf0648bd366baf211dc177e65f62fb0bb8528a9b77cece3792b33be5245b680a869492de0f18cc7643b96fc5676f7184e502d4e397d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\datareporting\glean\pending_pings\9e4e56f7-1dd6-442c-8a1f-c810e5cdbe96
Filesize856B
MD51093729ff3b544b557f392afd1ed0431
SHA1b6d8497f83cf447820843c812e2d2f219afb9b11
SHA2569babc3bfd72f8f7ead03149f8d7c550e32854f4f9fb865e01f1e23ca2f3cec67
SHA5124577c905662cf1af1a90eddb68ad61803e858b6363a6404fbb402e5a55fa08a3a94ee0d2f9ab8731177aba5a8e61a9757a97e780188c6bf165fbe8bf56f1694f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\datareporting\glean\pending_pings\ad116a58-5bf4-4b4b-997b-751c1292326a
Filesize746B
MD58118d2c7d727a9e7b2fbf67f17269574
SHA112d7e97012f3bdef350623829cc5701a8933fc9a
SHA256a6cd83b5688db81448c7277d1c9985d74997c537f246ed40f660bc2f4e1303ab
SHA512aff6a43e0740414783a3dbfdabd5644200d4a8417bed016cbb59d892a5064bb7513da62a5d0ef976c8968b5e5c721dffd95ea790531bc30b4a44be49e786e40e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\datareporting\glean\pending_pings\d92738d2-3b22-4d34-8437-e9330a4225e5
Filesize1KB
MD568e9b2ec6663b59e59c5b853c2bcc003
SHA1920bc132781f0d8def38cacdcdf7601d220baf3f
SHA2564a51ea241ef5eb48d6286b4c313328799fec0d9747f02848f44b0d16ff4cf464
SHA512490afe83c37db2e561c424d49f9ef22bf0ee87451b61e7263988df9d1159027149485bd7fb4b9696d266dfc6debb0abdb2fff433786d4f4ab1965b0ffa90f2e9
-
Filesize
6KB
MD54fd6bf6aa07160d85a6f6ec66f535562
SHA12fed3d652771c4c4dad80bb05f8afe6eecd03c1a
SHA256b026418b6dba483b3a4986f65e666c6b7671ccb9f14d0e05759234e3a1fbfd12
SHA5125e776af88e048825cc0efffb2281afd5cdf11cb2f730c1d941adff88e3bb3a9dada659bdfa6a41147bc17e1f7aabf1aa790a6632fd6da5e3fb5c33dd77dc9c1b
-
Filesize
6KB
MD5548dcc25ba6b4b366ae2318964e1579b
SHA12ff9e3bdcd867c811fa82ea30ce7ccafc7ce13f8
SHA256b5e5f401b7739f365d48e26b4d02c62e7e56f31f58441501366d487693906453
SHA51292ebfef9343f1bc624b0478ac97aa65c5766d33aafab3b56ece3d9c9f7dfa33b4f69a97e2b887773e43e5d7f79051f8c0dae64862d2321235c5c786aead1396e
-
Filesize
5KB
MD5e31d96f9f0f68de4b8413286c35b565a
SHA148ba3cc5f926094340b09019c5814366825d59a0
SHA2565e4236f130d9a24096edf1a84160d192e9a65d8bc5c9bb064e24148b19fa0f67
SHA5129fff60bc8c5b3a5cd0b937ccaefeca6c271005ee45ccafbb74df5f624195d6fc197cee87b9f801c9e8dd923be5544407f004cd5691d9f9b8a601dcd71622a781
-
Filesize
5KB
MD5fb3d792980a015fc87ae178f4328363f
SHA14a9098baeb9a208626572cbd45cdff9836aef106
SHA256e374356095660f01319d52782dcfb1fdfeef77a4b5dcc41dfddbd590b3042c19
SHA51262c22e7e6fa4f2ce6502819fdbafc5fdeb2e8378c06b0a3729b14eea3ae80ef46a803a4e9fd43264be1830ff3f1275ffba0ba3ff4000474b3f7986ad48959c52
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\sessionstore-backups\recovery.jsonlz4
Filesize3KB
MD58c79af6fe3cca8c71f889820a3641dee
SHA14ec6a5a8f92d142c6b84bfbabd2051874ae66af9
SHA256ac0488262311f57bd6aa805b1283780695a1f15d5022ac33225c12c7ca3eca16
SHA512e6fea137f20f94a5b3d4847ad9a9fe541340c75782169c3ed8078da377719b10ba487d5d6f852fdc9c277e044f0dc9e82068376b893d756423fd758aa04adcbc
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD544bde8d1dc36f6da22b278b78ea177f6
SHA151cdd0262ae97030e6ca4219aa52614a6593b011
SHA2566e42c09ed64b75bf108800dba3368a95c6d4999b66e351edb0633b03af03ba22
SHA51205ec27dc31a33581d5db73272b5338ac339518d3bcfec26aa36947329223315c7a7d70fa75e31f103e8c7b92cca4d29d9be52dab445d82d364e55a27f13204e7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\sessionstore-backups\recovery.jsonlz4
Filesize6KB
MD519c831f7c67642aa0a582b8c1b7af57f
SHA1b555c415c160b88ca893435c770b354a5699b42f
SHA2568ecafc78e35993ca4a49e50d7bfdee77e95b4d10290373c6546b89161877797c
SHA512ab98dec20aca82e26bb34a009d48b3d2d62fbdd54ea1f3375bb681e84bf7082ed65c70496cb0758b4987843672d37bf6c937171b812a08dd47869b4be27d3d61
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\sessionstore-backups\recovery.jsonlz4
Filesize10KB
MD5e4d495c056c89fc761a84ee3966896af
SHA15d0dc76aa56a66637d8301e743c2c902a528751d
SHA256368a41d173e18a7cbfae692170d30ad36e1c8f4b2807c76352ecf90c84f2c07f
SHA512e09dbfa7319dcceea703257826f893a4baacd609be9482e3b2e5507f305c88f1697df4d3b441b4bf874446a965620ff054462c4433c7859343a11a3c2c7e3d58
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\sessionstore-backups\recovery.jsonlz4
Filesize10KB
MD59d4254595ffcf78583a1b1847dbacd9c
SHA132e6cf0003d07d8df17f540562784ac2af8d16c5
SHA2569df31de017aa8009cf4a048fc343dd2eb2b365ff9ed47f4138992b1f3b194b45
SHA51273fd7f193c396c4e4c0e3ec13b22a09d6ea9580f35e1787a6fd690444f468fde6aa60395b00c362762cd8a55444b064c48c901072d86c2b40cdad9144ffb28c8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\sessionstore-backups\recovery.jsonlz4
Filesize11KB
MD564a60e0c10f92cd5261290529836a06f
SHA13af542d993ae70ae72efa55f748a2920b63ddb52
SHA25638753c0fc9f4e741ae4ce6b6b93b92635aa8e0aa92234cc07305fa7e979a28fb
SHA512856e1195b0451621483ed3f526c83d14ed6624852fd554a7b24b1044b2f08e311012869ffc9bf0c23f3fcd85af3a694f267297409fd7e6553afd8a36e290dff3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5fe644be71792f48757f69f62265eb68b
SHA147f0a08fccdc2eaead0efb32fa5e093f5a182089
SHA256fc3a4e4f171670666760dd36786e4f7189319b15346992faf3e418f77a68b133
SHA5121086e8a3ac37bb8d04cc32dd5f3bba59002f837e5e843a4052e849588102301e1f3bb6cdced83719c74d795b98b7d4e9e8b10e8f10dd319c158259d73c8c951f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5dcd964ed5ef1ec17aa36fb129b2cca21
SHA173d701f92602909b1bacc4d55550e0808ede5b98
SHA256bc41dca4a7ecf1a071f77361a4d932860b7aa81748ac7243150eb57c85bec246
SHA5124daaa0f2115a7a8a29d171803ce0383e2c0d33925b8eecf93766a51d68b16ccf2027ea702d9331b8ea0f8a83bcba4ab8214b4ef24af45f1c98905af29935449f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\sessionstore-backups\recovery.jsonlz4
Filesize6KB
MD55744d751e79a64879c46cd422c541b2d
SHA1b22fce0c0d9fe45603726bb9ab3d54cc9fee027a
SHA2569407ef8058b70402804d4fcf3b04badc84dc5dd8b2e8d8bcee42aaee16c0a73d
SHA5125ea2d1d66955e1c676e95283be11f1b7a20cf8a1a9a3a175eb3bdd4db1d2b023f09cbbf8b83a8560ab15b21178a54171d45cdded736b0cce6bf865e763da3fa5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\sessionstore-backups\recovery.jsonlz4
Filesize10KB
MD5c38963327052b5b2e2ab9ff55c1ebbec
SHA17cf95f7e37b2dfb73277d2ef746b62910c31a469
SHA25649bfb665fb63ae0bd34bc026b7ac55cfc78a3ae7838dcc234ea35a0e040a48b9
SHA512ba06450eb05da9f96ecddb57da0cea6803605ba3f7b9102989dc042d06aa46edcc82a1890b3bea9847b04f212a75d4d3e6acf406b565cf9dcc232b200bed181c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\sessionstore-backups\recovery.jsonlz4
Filesize11KB
MD5304bf13faf998cc91d4c2c8f223be408
SHA11fb7a762f871f0c9590d3b457f0899409726f358
SHA256875d698228ea01956607113d4847dd84fd7652189578d48f66427cb3ea63a257
SHA512972ce93acffd48caf17ce7af65e013881bea2e3822f9ce3534d35976c4407e14242edaea3c4c3ed3084ab0a144bb7e75b52b0d3e5862cf0e95e8531116bff04b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\sessionstore.jsonlz4
Filesize10KB
MD531fc7fbdfefbc4f7fd80d4347c14c418
SHA18a512810b90162c66d63f77be07b586fdfb583e9
SHA2568d46686a6e24b201bdf08d62ceda29257493e1ca88f4985a1eed4bd98b7b3811
SHA512809cf87bf56aeb9a03f38a4e30bcc4dd65beadd277690e6bc680a222dd8e50479dd0eea6ff01f7c6d6fd265d9669e8d3c6da22a9be7ae003f3d42d4354b19568
-
Filesize
861B
MD5c53dee51c26d1d759667c25918d3ed10
SHA1da194c2de15b232811ba9d43a46194d9729507f0
SHA256dd5b3d185ae1809407e7822de4fced945115b48cc33b2950a8da9ebd77a68c52
SHA512da41cef03f1b5f21a1fca2cfbf1b2b180c261a75d391be3a1ba36e8d4d4aefab8db024391bbee06b99de0cb0b8eb8c89f2a304c27e20c0af171b77db33b2d12c
-
Filesize
408KB
MD5934b81faace8824b29105af62987af2a
SHA1296d77ca6c3dac44ee95dd789f9dc1dc84ef3cef
SHA256f95eaf4de259a6e73e86981895f45adc5660268740f34bfddf2d7b4f6a6d4b69
SHA512a18b15f38b68b3134c55e314db47b6cee14b6910d7101384cdab53053c2a9c222d7ac70936663e74382cfe9808d6b9d9f893dc377cabbd2d953472f77d7ef246
-
Filesize
4.4MB
MD56a4853cd0584dc90067e15afb43c4962
SHA1ae59bbb123e98dc8379d08887f83d7e52b1b47fc
SHA256ccb9502bf8ba5becf8b758ca04a5625c30b79e2d10d2677cc43ae4253e1288ec
SHA512feb223e0de9bd64e32dc4f3227e175b58196b5e614bca8c2df0bbca2442a564e39d66bcd465154149dc7ebbd3e1ca644ed09d9a9174b52236c76e7388cb9d996
-
Filesize
3.6MB
MD5698ddcaec1edcf1245807627884edf9c
SHA1c7fcbeaa2aadffaf807c096c51fb14c47003ac20
SHA256cde975f975d21edb2e5faa505205ab8a2c5a565ba1ff8585d1f0e372b2a1d78b
SHA512a2c326f0c653edcd613a3cefc8d82006e843e69afc787c870aa1b9686a20d79e5ab4e9e60b04d1970f07d88318588c1305117810e73ac620afd1fb6511394155
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e